Crouching Tiger, Hidden Chinese Hackers

The Iranian Cyber Army may be the latest elite military hacking squad to hit the headlines, but Iran has a long way to go if it's to catch up with China in terms of international data disruption. According to one newly published report into the threat from Chinese state-sponsored espionage activity, the true scale and nature of these cyber-attacks is really quite interesting.

Context Information Security argues in the ' Hidden Tiger, Crouching Dragon, Stolen Data ' report that while cyber-attacks originating from China are nothing new, they have grown in both size and scope in recent years in order to support the drive for business intelligence and IP that the development and expansion of the new 'open' Chinese economy demands.

The bottom line being that both foreign governments and business alike have shown a reluctance to act upon this increasing threat fearful that political, or worse still economic, isolation may follow. Throw this reticence into the ring with an already under-invested information security infrastructure across many cash-strapped Western business landscapes and stir in more than a little lacking in the kind of user education needed to spot the early warning signs of these attacks, and you have a recipe for potential disaster.

You can be sure that the kind of attacks analysed in the report are neither random nor indiscriminate; they have real purpose, and that is to steal information that will, according to Context "steal information that will fulfil a clear set of requirements set by the Chinese state and furnish them with political, commercial and security/intelligence information". What's more, the report authors suggest that these requirements are both clearly identified and shared amongst multiple Chinese government departments, but also regularly updated.

"This is a structured program and the main protagonists in China are widely believed to be the Third Department of the People's Liberation Army" Context warns, adding "even using conservative estimates it is likely that the program employs thousands of military personnel. While the military program may be the most developed and sophisticated, it is likely that other parts of the Chinese state and even the private sector may also be carrying out similar attacks".

Reading the report it becomes quite clear that technology industry sectors such as aerospace, biotech, defence, electronics, energy, manufacturing, pharmaceuticals and telecoms are most at risk along with those services such that have access to their confidential data such as accountancy and law companies. These are the areas which China is determined to excel according to documents such as the Five Year Plan and National Outline for Medium and Long Term Development.

Context suggests that the most likely recipients of any commercial data stolen by state-sponsored hacking activity will likely be those state-owned companies, 117 of them in all, which currently dominate the Chinese economy and are very closely aligned to the Communist Party which maintains power over everything from strategic direction to management appointments.

The report does admit that it's not only the military, specifically the Third Department of the People's Liberation Army which has a cyber-operations remit, but also nuclear construction companies, the Chinese government department dealing with the energy industry and any number of hacking groups closely affiliated with the state. An ironically capitalist competitive element would appear to have been introduced in the race for stolen data, with the winner reaping the financial and political rewards.

It's hard to know exactly how many people are actively involved with state-sponsored hacking in China, but if you take into account the estimated size of the 3PLA being around 130,000 strong, then throw in the 2PLA which is also thought to be actively involved although to a lesser degree, the problem does start to get put into some perspective. Context looked at the likely numbers within the 3PLA that are actively involved with international cyber-espionage and concluded that there are probably a hundred or so dealing exclusively on malware development (with help from the Chinese hacking community in terms of tool resources), a couple of thousand 'low-level operators' supported by a few hundred more advanced techies dealing with the actual intrusions themselves, and some very small teams making up the infrastructure and operational security support. But that's not all yet, you have to throw in the processing and analysis experts which could number a few thousand and specialising in language translation and report writing.

There are, the report concludes, at least 7,000 crouching tigers and hidden dragons working on the state sponsored cyber-attack program in China. That's "7,000 people directly involved in hacking foreign computer networks for the Chinese military and processing the output of those attacks" according to Context.

Davey Winder

I've been a freelance word punk for more than two decades and for the last few years an Editorial Fellow at Dennis Publishing. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011. As well as working for DaniWeb I have been a Contributing Editor with PC Pro (the best selling IT magazine in the UK) for twenty years.

The real question is - given the persistence of this threat, why aren't we doing more out of the box thinking to address it? Given the sensitivity and complexity of military technology, it seems we could do inflict some pretty serious damage by setting up some honeypots with technical data that looked right, but with some subtle yet critical errors embedded. More on that here: http://technologydimensions.blogspot.com/2012/01/invert-always-invert.html